1997-09-26 - Re: Exports and criminalizing crypto

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: jsmith58@hotmail.com
Message Hash: cefe014b158be266e7e81fdd2c03be5d72cbc37d55809a462e22b30bad7c968b
Message ID: <199709260054.BAA00705@server.test.net>
Reply To: <19970925215418.1688.qmail@hotmail.com>
UTC Datetime: 1997-09-26 01:19:41 UTC
Raw Date: Fri, 26 Sep 1997 09:19:41 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Fri, 26 Sep 1997 09:19:41 +0800
To: jsmith58@hotmail.com
Subject: Re: Exports and criminalizing crypto
In-Reply-To: <19970925215418.1688.qmail@hotmail.com>
Message-ID: <199709260054.BAA00705@server.test.net>
MIME-Version: 1.0
Content-Type: text/plain




John Smith <jsmith58@hotmail.com> writes:
> Adam Back <aba@dcs.ex.ac.uk> writes:
> >You reference Ian Goldberg claiming to have to work on crypto during
> >trips to Canada.  I think he was just trying to make a political
> >point.  I submit that he could write and publish all the crypto he
> >wants in the US (on one of those "export controlled" sites).  It will
> >get illegally exported in no time at all.  Where's the problem?
> 
> That's easy for you to say, there in England.  You don't have these
> export controls, right?  

We have different export controls.  You can export what you want
electronically right now.  And, so I hear, the exporter is defined as
the person who downloads from your web site, so lots of hits from Iraq
is no problem.  Start to talk about tangible things and you require a
license.  You can get export licenses for strong crypto, 128 bit etc,
just the spooks like to know what's going on, who you're selling to
etc.  I think it probably depends who you're exporting to, etc, etc.
Ie I don't know that the results are publically published, nor reasons
for rejections, etc. so I don't really know how it works out in
practice.

Interestingly perhaps all the T-shirts with the .sig on them I have
been exporting to Russia, France, Peru, Brazil, etc. (could someone
from Iraq order one -- that'd be fun) are probably export violations
from the UK too.  I mean it has crypto on it, and it is tangible, and
I haven't asked for permission.  (I'm sure they would grant
permission, but I guess technically I'm supposed to ask them).

> How can you say what Ian Goldberg should do.  

Does do.  He wrote a loop back crypto driver for linux.  It's
available on the cypherpunks ftp site at berkeley.  It's also
available at the Italian crypto ftp site.  I was presuming he wrote it
in the US, as his instructions include a for export version with the
crypto chopped out and instructions on how to put it back in.

Anyway, let's see.  Other people write crypto code in the US.  They
set up a revolving directory or some other check.  MPJ had such a
site.  People do this with no legal problems, even Netscape does it
with US government official approval.

So clearly it's not illegal.

Anyway, for freeware crypto, it gets illegally exported (presumably by
third parties) and openly mirrored outside the US.  So where is the
problem that is holding up freeware crypto? 

Actually there are less direct problems, such as loss of interactive
collaboration from non-US contributors, etc.  But you see my point I
hope.

> >William Geiger has PGP on a non-export controlled site, and the export
> >bods haven't said a word, so it's not even clear that they care about
> >freeware at this point.
> 
> PGP is a special case because it is already out there everywhere.

So you're going to export it too?

> Still the example of Phil Zimmerman is a good one.  Even though he
> got away with it eventually, they showed how they can make your life
> hard.  Probably the only reason he didn't get charged was because
> they couldn't prove anything.  

I think it most likely that it was because it wouldn't have been in
their interests due to negative publicity, Zimmermann was a folk hero
by then.  Course nobody knows the official reason, not even Zimmermann
himself.  His lawyer knows, but the condition of knowing is not being
allowed to tell other people the reason, so PRZ chose not to know.

> Not many people are going to be willing to take that chance.
> William Geiger and a few others may be exceptions, but most people
> won't openly break a law which has strong penalties like this.

No?

This program is officially not exportable according to USG.  Prof
Peter Junger obtained a written decision stating this to be
non-exportable:

#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)

I've seen lots of people export it.  Actually the export rate has
picked up a bit since Junger obtained that excellent result.

> A lot of hackers thought they'd be heros but ended up doing time.
> Read that letter from Jim Bell if you want to see how different
> things look once the government comes down on you.

Really I agree.  Jim Bell is a different case, possibly more to do
with these common law courts he was apparently involved in, and
various IRS arguments, but perhaps also to do with his essays
describing betting pools to remove congress-critters.

I wasn't suggesting Ian should violate the export regulations.  Rather
that it's not a problem because interesting software invariably gets
exported anyway.  So let someone else do the exporting, or importing,
or whatever happens..

> But after all the opposition which came out, from practically every
> interest group there is, I am sure that there is no way domestic
> controls on crypto are going to pass.  

Could be.  Hope you're right.  The other less favourable example is
the phone tapping regs they bought in, and the clipper chip.  Clipper
chip was the classic, they all voted against it, so Klinton brought it
in as a government standard by presidential decree.

Adam
-- 
Now officially an EAR violation...
Have *you* violated EAR today? --> http://www.dcs.ex.ac.uk/~aba/rsa/

print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`






Thread